Thursday Sep 11, 2008

Policy Agent 3.0: Learning About J2EE Agents By Using the Sample Application

This blog entry picks up where the last blog entry (GlassFish Instructions: domain1 for OpenSSO, domain 2 for Policy Agent) left off. This entry is all about setting up the sample application. The assumption is that you completed the tasks described in the previous entry.

YOU SHOULD INSTALL THE SAMPLE APPLICATION!!! I mean, unless you're extremely familiar with J2EE agents, you'll learn most effectively and efficiently by Installing the sample application and experimenting with it. By working with the sample application, you can figure out how it functions. It's invaluable.

Sample Application: To Configure Properties

The tasks described in this section provide a quick interaction with the sample application of the Glassfish agent (Policy Agent 3.0). Here, I'm describing how to interact rather simply with the sample application as opposed to the more detailed interaction suggested in the sample application readme.txt file. By the way, the readme.txt file is available in the sampleapp directory. For example: /GF_OSSO_PA/j2ee_agents/appserver_v9_agent/sampleapp/readme.txt. You can learn a lot from the readme.txt file.

For example the readme.txt file explains that "The web.xml deployment descriptor has already been edited to include the Agent Filter." This is nice. For my scenario,  the web.xml file of the sample application  is available at this location: /GF_OSSO_PA/j2ee_agents/appserver_v9_agent/sampleapp/etc/web.xml. I can now take a look at the web.xml file and see how the filter has been added and I can see how this file is configured in general. This can be very useful.

  1. In a browser, log in to the OpenSSO Console as the amadmin user.
    For my scenario, I logged in to this URL:
    http://OpenssoHost.example.com:8080/opensso

  2. Navigate to the agent for which you deployed the sample application:
    For my scenario, I navigated to the following page:

    Access Control tab>opensso>Agents>J2EE>glassfishagent

    The Global tab is selected by default.

  3. Click the Application tab to configure four properties as described in the substeps that follow.

    At this point you will navigate within the Applicatin tab, setting various properties to experiment configuring the agent.

    1. Configure the Login Form URI property as described:

      1. Navigate to the property:
        Login Processing>Login Form URI (com.sun.identity.agents.config.login.form)

        The following page from the Policy Agent 3.0 Properties wiki describes this property: http://wikis.sun.com/display/OpenSSO/j2eeapplicationloginprocessing

      2. In the field for Login Form URI property, enter the following value: /agentsample/authentication/login.html
      3. Click Add.

    2. Configure the Application Logout URI property as described:

      1. Navigate to the property:
        Logout Processing>Application Logout  URI (com.sun.identity.agents.config.logout.uri)

        The following page from the Policy Agent 3.0 Properties wiki describes this property: http://wikis.sun.com/display/OpenSSO/j2eeapplicationlogoutprocessing

      2. In the fields for the Application Logout URI property, enter the following values:

        Map Key Corresponding Map Value
        agentsample
        /agentsample/logout

      3. Click Add.

    3. Configure the Resource Access Denied URI property as described:

      1. Navigate to the property:
        Access Denied URI Processing>Resource Access Denied URI (com.sun.identity.agents.config.access.denied.uri)

        The following page from the Policy Agent 3.0 Properties wiki describes this property:
        http://wikis.sun.com/display/OpenSSO/j2eeglobalgeneralresourceaccessdenieduridetails

      2. In the fields for the Resource Access Denied URI property, enter the following values:
        /agentsample/authentication/accessdenied.html

        Map Key Corresponding Map Value
        agentsample
        /agentsample/authentication/accessdenied.html


        The accessdenied.html page is included with the sample application. In a real deployment, a custom accessdenied.html page would have to be created for your site, if desired.

      3. Click Add.

    4. Configure the Not Enforced URIs property as described:

      1. Navigate to the property:
        Not Enforced URI Processing>Not Enforced URIs (com.sun.identity.agents.config.notenforced.uri)

        The following page from the Policy Agent 3.0 Properties wiki describes this property:
        http://wikis.sun.com/display/OpenSSO/j2eeapplicationnotenforceduriprocessing

      2. In the field for the Not Enforced URIs property enter each of the following values one at a time and click Add after entering each value:
        /agentsample/public/\*
        /agentsample/images/\*
        /agentsample/styles/\*
        /agentsample/index.html
        /agentsample/
        /agentsample

      3. Scroll up as necessary to click Save.

  4. (Optional) Click the Global tab if you would like to increase the debug logging level as described in the substeps that follow.

    During agent deployment and testing, keeping the debug level at "message" can be quite useful. A variety of error and error-related messages are then logged to the debug log file. This debug level can be extremely valuable for troubleshooting purposes.
    1. Navigate to the following property General>Agent Debug Level (com.iplanet.services.debug.level)

      The following page from the Policy Agent 3.0 Properties wiki describes this property:
      http://wikis.sun.com/display/OpenSSO/j2eeglobalgeneralagentdebuglevel

    2. Select the "message" level.

    3. Scroll up as necessary to click Save.

Sample Application: To Create Users and Groups

  1. In the OpenSSO Console, navigate to the User subtab.

    For my scenario, I am picking up where I left off in the last task. Therefore, I just clicked Save after changing configuration property settings, so I selected the following options to get to the User tab:
    Back to Main Page>Subjects tab>User tab

  2. Create a new user "chris" (all lower case letters) with a password "chris" as described in the substeps that follow:

    1. Click New.

    2. Fill in the fields on the New User page as illustrated in the table that follows:

      New User: Field
      Enter the Following:
      ID
      chris
      FirstName:
      chris
      Last Name:
      chris
      Full Name:
      chris
      Password:
      chris
      Password (confirm):
      chris
      User Status:
      Active

  3. Click OK.

    Notice that "chris" is now listed in the User list.

  4. Click the Group tab.

  5. Create two new groups, "manager" and "employee," as described in the substeps that follow:

    By the way, I messed up here originally and used uppercase initial letters. Therefore, I put "Manager" and "Employee". Later my mistatke prevented "chris" from gaining access to some of the sample application pages. Hua Cui, my go-to agent developer for any such issues, figured it out and showed me a work around, which involved the following attribute: Privileged Attributes To Lower Case (com.sun.identity.agents.config.privileged.attribute.tolowercase). Anyway, for the preceding attribute, the attribute type "group" had to be changed to true. That corrected my error and access was granted to "chris" as expected.

    1. Click New.

    2. Fill in the ID  field on the New Group page as illustrated in the table that follows:

      New Group: Field
      Enter the Following:
      ID
      manager

    3. Click OK.

    4. Click New.

    5. Fill in the ID  field on the New Group page as illustrated in the table that follows:

      New Group: Field
      Enter the Following:
      ID
      employee

    6. Click OK.

      Notice that "employee" and "manager" are now listed in the Group list.

  6. Add user "chris" to the "employee" group and the "manager" group as described in the substeps that follow:

    1. Click the User tab.

    2. Click chris in the list of users.

    3. Click the Group tab.

      The groups "employee" and "manager" are listed in the Available column.

    4. Click Add ALL to move "employee" and "manager" from the Available column to the Selected column.

    5. Click Save.

Sample Application: To Create Policies

The goal of this task is to create a policy for the sample application:
http://AgentHost.example.com:33053/agentsample/

  1. In the OpenSSO Console, navigate to the Policies tab.
    For my scenario, I am picking up where I left off in the last task. Therefore, I just clicked Save after adding "chris" to groups, so I selected the following options to get to the Policies tab:
    Back to Subjects>Policies

  2. Create a new policy by following the substeps shown:

    In filling in this info, I mostly just took names, such as P1, that Sean Brydon used in his detailed write up of the sample application.

    WARNING! If you don't click the OK button on the New Policy page, any new rules, subjects, conditions, and response providers you might have already created will be lost. They are not saved until the policy is saved.

    1. Click New Policy.

    2. In the Name field, in the General section, enter P1.

    3. Create a new rule by following the substeps shown:

      1. In the Rules section, click New.

      2. For step 1 of 2, ensure that "URL Policy Agent (with resource name)" is selected.

      3. Click Next.

      4. For step 2 of 2, complete the page as shown in the table that follows:

        New Rule Component
        Perform the Following
        Name
        Enter: JSP Pages
        Resource Name
        Enter: http://AgentHost.example.com:33053/agentsample/\*
        Action: GET
        Click GET with Allow chosen
        Action: POST
        Click POST with Allow chosen

      5. Click Finish.

    4. Create a new subject by following the substeps shown:

      The goal is to assign the groups "employee" and "manager"  to the subject.

      1. In the Subjects section, click New.

      2. For step 1 of 2, ensure that OpenSSO Identity Subject is selected.

      3. Click Next.

      4. For step 2 of 2, complete the page as indicated in the table that follows.

        New Subject Component Perform the Following
        Name Enter: S1
        Exclusive Nothing. Skip this.
        Filter (Select identity type)
        Select Group as the identity type
        (Do not need use the field to the right). Click Search.
        Available -> Selected
        Click Add All to move "employee" and "manager" from  the Available column to the Selected column.

      5. Click Finsih.

        This brings you back to the New Policy Page.

    5. Click OK to save the entire policy.

Working with the Sample Application

CAUTION! The sample application and the OpenSSO Console will definitely interfere with each other if you view them in the same browser. Therefore, don't! If you are going to view the Console andthe sample application on the same computer, either close the Console or use different browsers. For example, Firefox for the Console and Internet Explorer for the sample application.

Furthermore, things can get odd with the the sample application in terms of cookie expiration. You might need to logout, especially if you get an access denied page.


Logging Out of the Agent Sample Application
The logout page does not have to exist for you to log out of the sample application. You can type "logout" in the URL field after the string "agentsample/." For example, http://AgentHost.example.com:33053/agentsample/logout.

When the agent receives a request for the resource "...agentsample/logout," it invokes the logout feature. This logs the user out of the application. You can verify that the user is logged out by trying to access a protected page resource and seeing that you are again asked to login, indicating you have been logged out. An alternative way to verfiy logout is to go to the opensso UI console main page and click the Sessions tab which will list all active sessions and you will see that the user is no longer listed since you logged out of the aplication.


  1. Using a browser, access the sample application.
    For example, visit the appropriate URL, as such: http://AgentHost.example.com:33053/agentsample

    If everything works out, you'll see a page such as illustrated by the following image:

    The sample applicataion
  2. Click URL Policy Enforcement in the left frame.
    A page shows up with a link worded as such:
    "Invoke a Servlet Protected by URL Policy".

  3. Click the  "Invoke a Servlet Protected by URL Policy" link.

    The agent  takes you to the OpenSSO login page.

  4. Enter the credentials for Chris: chirs/chris.

    If things go well, the browser presents a page with the following message:
    Successful Invocation: Please Verify


  5. Try the other two links (J2EE Declarative Security and J2EE Security API).

  6. On those two pages, click the various  links  that start with the word "Invoke."

    In each case, you should see the same success message:
    Successful Invocation: Please Verify

  7. Click Show HTTP Headers.

    A table appears, such as the one below, showing header request information for the sample application.

  8. Showing Request Information Including Headers, Cookies, and Attributes


    Request Method: GET
    Request URI: /agentsample/jsp/showHttpHeaders.jsp
    Request Protocol: HTTP/1.1
    Request Scheme: http
    Request Server Name: AgentHost.example.com
    Request Server Port: 33053
    Header Name Header Value
    host AgentHost.example.com:33053
    user-agent Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.8.1.4) Gecko/20070622 Firefox/2.0.0.4
    accept text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,\*/\*;q=0.5
    accept-language en-us,en;q=0.5
    accept-encoding gzip,deflate
    accept-charset ISO-8859-1,utf-8;q=0.7,\*;q=0.7
    keep-alive 300
    connection keep-alive
    referer http://AgentHost.example.com:33053/agentsample/public/urlpolicy.html
    cookie JSESSIONID=b6eb2151444c60fee7b61605c215; s_vi=[CS]v1|48B43B1200006FE8-A000B0400005553[CE]; amlbcookie=01; iPlanetDirectoryPro=AQIC5wM2LY4SfcxG/3VzZI+HWuNsJhQ5ESAh7OTM7qYv2uU=@AAJTSQACMDE=#
    Request Attribute Name Atribute Value
    com.sun.enterprise.http.sessionTracker 
    org.apache.coyote.tomcat5.SessionTracker@1a9d205

    If you make changes to the agent attributes, you can see those changes reflected on the Show HTTP Headers page of the sample application. For example, you can see changes to the the Show HTTP Headers page if you change the properties in the Console in these sections: Profile Attributes Processing, Session Attributes Processing, and Response Attributes Processing.

GlassFish Instructions: domain1 for OpenSSO, domain2 for Policy Agent

This blog entry explains how to install GlassFish to host both OpenSSO server and Policy Agent 3.0. I then get into a little about deploying the agent sample application. In the very next blog entry, I get into configuring and experimenting with the sample application.

This one entry includes various tasks. The deployment described involves two GlassFish domains: one for OpenSSO (between builds 5 and 6) and one for the GlassFish agent (Agent for Application Server 9.0). The instructions are all for a Solaris 10 SPARC machine.

I've covered some of this before in this blog. However, I was using older OpenSSO builds. Some instruction details have changed since then. Furthermore, the use of two domains on GlassFish is new. Also, the sample application details included in the next blog entry are new.

NOTE TO READER: If you see anything that isn't clear or is outright incorrect, don't hesitate to leave a comment. I'll try to straighten it out.

To Install GlassFish

This task description explains how to install GlassFish as an eventual container for OpenSSO server and Policy Agent 3.0.  This is all being performed on on a Solaris 10 SPARC machine. The objective is to deploy OpenSSO on GlassFish domain1. Then to create a second glassfish domain (domain2) and install Policy Agent 3.0 (Agent for Application Server 9.0).
  1. Set the JAVA_HOME or JRE_HOME variable.
    For my environment (using the Bourne shell a.k.a "sh" shell), I did the following:
    1. Issue the following command:
      # JAVA_HOME=/usr/jdk/instances/jdk1.5.0
    2. Issue the following command:
      # export JAVA_HOME
    3. Issue the following commnad:
      # env
      This allows you to ensure that the JRE_HOME variable is set in the list of environment variables.

  2. Make a directory for the GlassFish installation.
    For example, in the root directory:
    # mkdir GF_OSSO_PA
    That's my shorthand for GlassFish container for OpenSSO server and the Glassfish agent.

  3. Using a browser, download glassfish-installer-v2ur2-b04-sunos.jar to the GlassFish installation directory you just created. As you know, I named it as follows: /GF_OSSO_PA

    I downloaded the GlassFish build listed above. I got to that file and one will see other similar GlassFish builds by starting here:
    https://glassfish.dev.java.net/public/downloadsindex.html
    Which brought me here:
    https://glassfish.dev.java.net/downloads/v2ur2-b04.html
    This is the wording and such for the download I finally got:
    Solaris SPARC Platform
    glassfish-installer-v2ur2-b04-sunos.jar, size 54M

    You can navigate to the download or you can right click the link immediately above and choose the option that controls where the download is saved within your directory system.

  4. Using the command line, extract the file using: 
    # java -Xmx256m -jar
    glassfish-installer-v2ur2-b04-sunos.jar
    A license agreements appears.

  5. Accept the agreement
    1. Scroll and read through the agreement.
    2. Click Accept.
    This creates a glassfish directory with everything inside.

  6. Change into the glassfish directory. For example:
    # cd /GF_OSSO_PA/glassfish

  7. Run the two following commands: 
    • # chmod -R +x lib/ant/bin
    • # lib/ant/bin/ant -f setup.xml

  8. After a successful build, change to the glassfish/bin directory. For example:
    # cd
    /GF_OSSO_PA/glassfish/bin

  9. Issue the command to start domain1:
    For example, I issued the following command:

    ./asadmin start-domain domain1

  10. Using a browser, verify the server is running by accessing http://OpenSSOhost.example.com:8080.
    You should get a Server Running page.

    I'm referring to this host,  which is using domain1, as OpenSSOhost because it will host the OpenSSO server.

  11. Using a browser, login to domain1 of GlassFish as admin (PW: adminadmin) by accessing the console using a browser:
    An example of the URL is as follows: http://OpenSSOhost.example.com:4848.

    Notice that 4848 is the port for the console for domain1 of Glassfish. The console for other domains will have different port numbers.

  12. Edit the domain.xml file of domain1 as described in the substeps that follow:

    When Glassfish is the container for the OpenSSO server, the domain.xml file should be edited as described.

    1. Change directories to the config directory of domain1.
      For example:
      # cd /GF_OSSO_PA/glassfish/domains/domain1/config

    2. Using your text editor of choice, open the domain.xml file.

    3. Change the following JVM options as shown in the table below:

      Changes to Make
      Lines Before Editing
      Lines After Editing
      "client" to "server"
      <jvm-options>-client</jvm-options> <jvm-options>-server</jvm-options>
      "512 to "1024"
      <jvm-options>-Xmx512m</jvm-options>
      <jvm-options>-Xmx1024m</jvm-options>

To Create a Second GlassFish Domain

These instructions are necessary if you are going to install OpenSSO and the GlassFish agent on the same Glassfish server. You cannot install the two on the same domain, so you will need to create a second GlassFish domain.

  1. Ensure that domain1 is running.

    You can do this by ensuring that GlassFish is accessible in a browser.
    For my scenario, I visited the follwing URL: http://OpenSSOhost.example.com:8080

    With domain1 running, you ensure that domain2 won't be assigned the same port as domain1.

  2. Issue the command to create domain2:
    For example, I issued the following command:

    # /GF_OSSO_PA/glassfish/bin/asadmin create-domain --adminport 6868 --user admin domain2

    Notice that the port 6868 used in the command above is the port to use to log in to GlassFish server domain2 while port 4848 is the port to use to log in to GlasFish server domain1.

  3. Enter adminadmin as the password for the various password prompts you receive.

    After you provide all the passwords, a list of configuration information is displayed.

  4. Note the port number for the HTTP instance.

    You will need this port number when you create Agent for Application Server 9.0 (the Glassfish agent) Look for the line about the HTTP instance. For example:
    Default port 8080 for HTTP Instance is in use. Using 33053
    In such a case you would note 33053. You will need that port number (whatever, it might be) when you install the agent on domain2.

  5. Start the second GlassFish domain:
    For example, I issued the following command:

    # /GF_OSSO_PA/glassfish/bin/asadmin start-domain domain2

  6. Enter adminadmin as the password for the password prompt you receive.

  7. Using a browser, verify that you have access to the GlassFish console for domain2 by logging in to domain2 using admin (PW: adminadmin):

    An example of the URL is as follows: http://OpenSSOhost.example.com:6868.

  8. Shutdown the second GlassFish domain:
    For example, I issued the following command:

    # /GF_OSSO_PA/glassfish/bin/asadmin stop-domain domain2

    If you don't shutdown the second domain before creating the agent (later on), it will modify files.

  9. Shutdown the first GlassFish domain:
    For example, I issued the following command:

    # /GF_OSSO_PA/glassfish/bin/asadmin stop-domain domain1

To Install OpenSSO on GlassFish Domain1

These instructions involve downloading OpenSSO in the same directory where I downloaded GlassFish (GF_OSSO_PA). I use domain1 of the GlassFish server.
  1. Change directories to the location you want to download the OpenSSO binaries.

    I used the GF_OSSO_PA directory I created previously. For example, I issued the following command:
    # cd /GF_OSSO_PA

  2. Using a browser, download the OpenSSO binaries to the directory of your choice.
    For my scenario, I downloaded the binaries to the following directory: GF_OSSO_PA

    The general URL to start from is as follows:

    https://opensso.dev.java.net/public/use/index.html

    A more specific location on the above page, for periodic builds, is here:
    https://opensso.dev.java.net/public/use/index.html#periodic

    The above URL brings you to the table named Periodic OpenSSO and Client SDK Builds. You could navigate to that table and right click the "opensso.zip" link. Or you could just right click it here: "opensso.zip". Then  you can choose the option that controls where the download is saved within your directory system.

    At the time I performed this task, the latest build was September 10th. When I install the GlassFish agent (described later in this blog entry), I also use the September 10th build. 

    Be aware that there's a risk-reward relationship involved with using periodic builds. The reward is that you might be able to see the newest features and behaviors. The risk is that the chances of the build failing or acting oddly are greater than when you use a stable buld. At least, you know the September 10th build is stable enough to handle all the tasks described in this blog entry.

    If you want to install the same build that I did (since you know it's relatively stable) but at a point in time in which the Sept 10th build is no longer available from the Periodic OpenSSO and Client SDK Builds table, then you can pick it up at this link: http://download.java.net/general/opensso/nightly/20080910.1/opensso/

    You can go to that page and right click the openso.zip link or you can right click it here: opensso.zip. Then you can control which directory the file is downloaded to.

  3. Unzip the opensso.zip file.
    I used the following command:
    # unzip opensso.zip

    This creates an opensso directory. Therefore, for me the opensso directory was at the following location: /GF_OSSO_PA/opensso

  4. Copy the opensso.war file from the distributed opensso files to the autodeploy directory of the GlassFish server domain1.
    For example:
    cp /GF_OSSO_PA/opensso/deployable-war/opensso.war /GF_OSSO_PA/glassfish/domains/domain1/autodeploy

    A few ways exist to deploy the opensso.war file. The command above demonstrates the method I used.

  5. Start domain1 of the GlassFish server.
    For Example, I issued the following command:

    # /GF_OSSO_PA/glassfish/bin/asadmin start-domain domain1

    Starting GlassFish domain1 with the opensso.war file in the autodeploy directory deploys the opensso.war file.

  6. Confirm that GlassFish domain1 has started and OpenSSO has deployed as described in the substeps that follow:

    1. Use a browser to check that Glassfish domain 1 has started:
      For example, in a browser window, go to the following location:
      http://OpenSSOhost.example.com:8080/

      If everything goes properly, you will see the message:
      "Your Application Server is now running"

    2. Add the string opensso to the URL in the browser window.
      For example:
      http://OpenSSOhost.example.com:8080/opensso

      If everything goes properly, you will see the OpenSSO server page labeled Configuration Options.

  7. Proceed with the configuration as described in the substeps that follow:
    You don't need to go with the default configuration, but that's what I did.

    1. Click Create Default Configuration.

    2. Enter the same password for both of the Default User Fields: Password and Confirm.
      For example, admin123.

      By the way, the password you enter here is used by you and other administrators to log into OpenSSO. At that Login page (which comes up when you visit http://OpenSSOhost.example.com:8080/opensso), the value to enter for the User Name field is amAdmin while the password is the one you are creating in this substep.

    3. Enter the same password for both of the Default Agent Fields: Password and Confirm.
      For example, agent123.
      Ensure that this password is different from the one you just created in the step above.
      You might not ever need this password again. One situation you would need it is if you install Policy Agent 2.2 with this OpenSSO deployment. In that situation, this password would be needed. In that case, it is used in conjunction with the user name "UrlAccessAgent."

    4. Click OK.

      The configuration process continues for a couple of minutes and then shows a configuration complete message.

    5. Click  Proceed to Login.
      This brings you to the login page, which is at a URL such as the following:
      http://OpenSSOhost.example.com:8080/opensso/UI/Login

  8. Log in using the proper credentials.
    For example:
    User Name: amAdmin
    Password: admin123

To Create an Agent Password File

The location of this file is required and will be prompted for by the agent installer.
  1. Create an ACSII text file for the agent profile. The following is an example
    of such a text file: /GF_OSSO_PA/gfagentpw

    I combined steps one and two by creating the file (gfagentpw) and adding the password (agent456) in a single command as follows:

    # echo agent456>>/GF_OSSO_PA/gfagentpw

  2. (CONDITIONAL) If you didn't combine the creation of text and the creation of the file in one command, using a text editor, enter the appropriate pasword in clear text on the first line of the file.

  3. Secure the  password file appropriately, depending on the requirements of your deployment.

To Create the Agent Profile in the OpenSSO Console

When I create the agent, I won't choose the option for the agent installer to create the agent profile for me automatically (agentadmin --custom-isntall), so I need to do this task myself.
  1. Using a browser, log in to OpenSSO Console as amAdmin.
    For example:
    http://OpenssoHost.example.com:8080/opensso
  2. Select Access Control tab>realmname (such as Top Level Realm)>Agents>J2EE
  3. In the Agent section, click New.
  4. Fill in the fields as appropriate:

    Field
    Example Value
    Name
    glassfishagent
    Password
    agent456
    Re-enter Password
    agent456
    Configuration
    Centralized
    Server URL http://OpenssoHost.example.com:8080/opensso
    Agent URL
    http://AgentHost.example.com:33053/agentapp
About the fields: Note the name and password you enter since you will need this info again. The password must be the same as the password in the agent password file (for example agent456). A centralized configuration is a key aspect to Policy Agent 3.0 and allows you to control the agent from the OpenSSO Console. For the Server URL, enter the info for the OpenSSO server. In this case, I'm using GlassFish domain 1. For the Agent URL, enter the info for the GlassFish server that you just installed with the port number for domain2, which for my scenario was port 33053 as explained in the task described previously in this entry titled "To Create a Second GlassFish Domain."

To Install the GlassFish Agent on GlassFish Domain2

This task involves the installation of the GlassFish agent on the GlassFish server, domain2.
  1. Download the Sun Java System Application Server 9 (the GlassFish) agent to the directory in which you want to uninstall the agent.

    For my situation, I'm downloading the agent in to the following directory: /GF_OSSO_PA

    Since I used the September 10 build for the OpenSSO download, I'll be using the same date for the GlassFish agent download. If you install the OpenSSO server and the agent on the same day, the "latest" directory for the two downloads will have the same date.

    You can start form the following URL for the latest J2EE agent builds:
    http://download.java.net/general/opensso/nightly/latest/j2eeagents/

    If you want to go to that page, you can then right click the link "appserver_v9_agent_3.zip" in the table or you can right click the following link: appserver_v9_agent_3.zip. Then you can choose the option that controls where the download is saved within your directory ststem.

    If you want to install the same build that I did but at a point in time in which the Sept 10th build is no longer available from the J2EE agent page listed above, then you can pick it up at this link: http://download.java.net/general/opensso/nightly/20080910.1/j2eeagents/

    You can go to that page and right click the appserver_v9_agent_3.zip link or you can right click the following link: "appserver_v9_agent_3.zip." Then you can choose the option that controls which directory the file is downloaded to.

  2. Unzip the zip file.
    For example:
    # unzip appserver_v9_agent_3.zip

  3. (Conditional) Ensure that GlassFish domain1 is running.
    During agent installation, the agent searches for the OpenSSO server. The installation is more complete if the OpenSSO server is running.

    For example, you can check the GlassFish console (http://OpenssoHost.example.com:4848). If it is not accessible, start GlassFish domain1 (For example # /GF_OSSO_PA/glassfish/bin/asadmin start-domain domain1)

  4. Change to the directory that contains the agentadmin utility. For example:
    # cd /GF_OSSO_PA/
    j2ee_agents/appserver_v9_agent/bin

  5. Set the permissions for the agentadmin utility. For example:
    # chmod 755 agentadmin

  6. Start the agent installation. For example:
    # ./agentadmin --install

    I used ./agentadmin --install instead of ./agentadmin --custom-install.

  7. Complete the installation as described in the substeps that follow:
    1. Continually press enter to accept the various parts of the license agreement.

    2. Enter yes to accept the complete agreement.
      You must then answer the agent installer prompts. Many of your responses will be responsses you provided when you created the agent profile.

    3. Respond to the following prompt:
      Enter the Application Server Config Directory Path
      [/opt/SUNWappserver/domains/domain1/config]:

      I responded with the following:
      /GF_OSSO_PA/glassfish/domains/domain2/config

    4. Respond to the following prompt:
      OpenSSO server URL:

      I responded with the name of the GlassFish Server domain1, which is where I installed OpenSSO:
      http://OpenssoHost.example.com:8080/opensso

      I've messed up here before where I put a forward slash "/" after "opensso": That causes huge problems. Don't put anything after "opensso": not even a space.

    5. Respond to the following prompt:
      Agent URL:

      I responded with the name of the GlassFish instance including the port for domain2:
      http://AgentHost.example.com:33053/agentapp

    6. Respond to the following prompt:
      Enter the Agent Profile name:

      I responded with the following:
      glassfishagent

    7. Respond to the following prompt:
      Enter the path to the password file:

      I responded with the following:
      /GF_OSSO_PA/gfagentpw

      Then, a summary of your responses is displayed as such:

      Verify your settings above and decide from the choices below.
      1. Continue with Installation
      2. Back to the last interaction
      3. Start Over
      4. Exit
      Please make your selection [1]:

    8. Choose the applicable option.

      I responded by pressing Return to accept the default choice: "1. Continue with Installation"

To Deploy Applications on GlassFish

There are a few ways to deploy applications on GlassFish. This task shows the method I used. I deployed two applications at the same time. The agentapp.war file is used for housekeeping tasks, and it required for the notification mechanism to function. The agentsample.ear file is the J2EE agent sample application, which gives you the opportunity to practice protecting an application with the agent. Therefore, you can create policies and perform other tasks that control access to the application and then you can test those policies.  I'll be configuring the sample application in the next task, so I decided to deploy it at the same time that I'm deploying the agent application.

Deploying the sample application (e.g agentsample.ear)  the way I do below (without building my own sample application)  is possible because the agentsample.ear file is already built for me with the assumption that I  used the default realm, "opensso" when installing the OpenSSO server.  Well, good, I really did use the "opensso" realm, so I didn't have to change the realm information and rebuild the sample application myself. By the way, such details are explained in the sample application readme.txt file:
(e.g. /GF_OSSO_PA/j2ee_agents/appserver_v9_agent/sampleapp/readme.txt)

  1. Copy the agentapp.war file and the agentsample.ear file to the GlassFish domain2 autodeploy directory. For example, from the root directory, I issued the following commands:

    # cp /GF_OSSO_PA/j2ee_agents/appserver_v9_agent/etc/agentapp.war /GF_OSSO_PA/glassfish/domains/domain2/autodeploy

    # cp /GF_OSSO_PA/j2ee_agents/appserver_v9_agent/sampleapp/dist/agentsample.ear  /GF_OSSO_PA/glassfish/domains/domain2/autodeployGlassfish Console: Left Pane

  2. Start GlassFish domain2 (the domain on which the agent is installed) with the appropriate command. For example I issued the following command:
    # /GF_OSSO_PA/glassfish/bin/asadmin start-domain domain2

  3. Enter the master password.
    For example:
    adminadmin

    When the domain starts, the two applications will deploy.

  4. Verify that the Application Server is running and the two applications were deployed as described in the substeps that follow:

    1. Using a browser, access http://GlassFishHost.example.com:6868

      Remember that because of the way I created domain2, port 6868 is the correct port for domain2.

    2. Log in with the proper credentials. For example:
      User name: admin
      Password: adminadmin

  5. In the left pane, click the arrows next to the following labels:
    • Enterprise Applications
    • Web Applications

    You should see the two applications you just deployed, the agentsample and the agentapp, as illustrated in the image to the right.

    Now things are set for you to experiment with the sample application,

    Sean Brydon has written up quite a bit about the J2EE sample applicaton, the quick example is here and the detailed example is here.
The very next blog entry (Policy Agent 3.0: Learning About J2EE Agents By Using the Sample Application) describes how to set up the sample application. It's real important and useful info. Really!!!

Monday Jul 21, 2008

How to Install GlassFish Then Policy Agent 3.0

This entry describes how to install GlassFish as a container for content to be protected by Policy Agent 3.0 (Agent for Application Server 9.0) on a Solaris 10 (SPARC) machine. I also provide the instructions for installing the agent and performing some preliminary agent configuration. These instructions are related to the instructions I already provided in the following entry: http://blogs.sun.com/JohnD/entry/how_to_install_tomcat_6.

NOTE TO READER: If you see anything that isn't clear or is outright incorrect, don't hesitate to leave a comment. I'll try to straighten it out.

Also, in this blog, you can bring up a list of blog entries with instructions for this deployment. This deployment is all on one machine (on Solaris 10) and inlcudes OpenSSO server on Tomcat 6.x with the Application Server 9.0 agent on GlassFish server. This will probably include other configurations, too, such as deploying the sample application and more. Click the following link:
Blog entires related to the deployment: Tomcat for OpenSSO & GlassFish for GlassFish agent

The How-to Information I'm Providing

About Tomcat, GlassFish, OpenSSO (FAM 8.0), and Policy Agent 3.0:
  1. Installed Tomcat 6.x on Solaris 10 (SPARC) and then OpenSSO on top of that. See this blog entry.
  2. The blog entry (you're reading now) is about installing GlassFish on the same machine used for step 1 and then installing the GlassFish agent, a J2EE agent, which is also referred to as appserver_v9_agent.
  3. In a blog entry in the near future, I hope to describe more about how to set up the J2EE agent sample application. Actually, Sean Brydon has written up quite a bit about installing the agent and the sample application, see this link here, and for lots of details on installing the J2EE agent sample application, see this link here. The tasks Sean describes are on earlier builds of OpenSSO and the agent, but the concepts are clear.
All of the how-to info I'm providing is in reference to one machine. I've installed it all on one machine.
  • Tomcat 6.x is the J2EE container for OpenSSO
  • GlassFish is the J2EE container protected by the Sun Java System Application Server agent (the GlassFish agent)
I refer to the one machine in various ways, depending upon which server I'm focusing on at that moment. For example, you'll see all of the following:

Tomcat:
  • http://TomcatHost.example.com:8080/
  • http://OpenssoHost.example.com:8080/opensso
GlassFish:
  • http://GlassFishHost.example.com:4848
  • http://AgentHost.domain:8090

Just know, that for my instructions, all the URLs are served from the same machine, even though the host name is shown differently.

To Install GlassFish

This task description explains how to install GlassFish as an eventual container for Policy Agent 3.0 (Agent for Application Server 9.0) on a Solaris SPARC machine. This is with the assumption that OpenSSO is already running on this machine on Tomcat 6.x as I described in the following entry: http://blogs.sun.com/JohnD/entry/how_to_install_tomcat_6.
  1. Set the JAVA_HOME or JRE_HOME variable.
    For my environment (using the Bourne shell a.k.a "sh" shell), I did the following:
    1. Issue the following command:
      # JRE_HOME=/usr/jdk/instances/jdk1.5.0
    2. Issue the following command:
      # export JRE_HOME
    3. Issue the following command:
      # env
      This allows you to ensure that the JRE_HOME variable is set in the list of environment variables.

  2. Make a directory for the GlassFish installation.
    For example, from the root directory:
    # mkdir pa3gf
    That directory means Policy Agent 3.0 for GlassFish.

  3. Using a browser, download glassfish-installer-v2ur2-b04-sunos.jar from
    http://www.java.net/download/javaee5/v2ur2/promoted/SunOS/glassfish-installer-v2ur2-b04-sunos-ml.jar
    to the pa3gf directory.

    I downloaded the GlassFish build listed above. However, more options for GlassFish builds are listed here:
    https://glassfish.dev.java.net/public/downloadsindex.html

  4. Using the command line, extract the file using: 
    # java -Xmx256m -jar
    glassfish-installer-v2ur2-b04-sunos.jar
    A license agreements appears.

  5. Accept the agreement
    1. Scroll and read through the agreement (In a perfect a world at least).
    2. Click Accept.
    This creates a glassfish directory with everything inside.

  6. Change into the glassfish directory.

  7. (Conditional) If the GlassFish host has another server on it running on port 8080, change the GlassFish port number as described in the substeps that follow.

    I'm installing GlassFish to host the agent. I already have Tomcat 6.x installed on port 8080. By default Glassfish attempts to use port 8080. If 8080 is being used already, the GlassFish installation will not be complete.  Therefore, this task describes how to change the default port of 8080 to 8090.

    1. Open the setup.xml file with a text editor.
    2. Locate the following line:
      <property name="instance.port" value="8080"/>
    3. Change the port number to something else, such as 8090.
      I'm not sure what range of port numbers is acceptable for instance.port, but 8090 is definitely acceptable.

      If you wanted to change the GlassFish port number after the installation, you would not edit the setup.xml file but the domain.xml file. Here's an example location for that file:  /pa3gf/glassfish/domain1/config/domain.xml

  8. Run the two following commands: 
    • # chmod -R +x lib/ant/bin
    • # lib/ant/bin/ant -f setup.xml

  9. After a successful build, change to the glassfish/bin directory. For example:
    # cd
    pa3gf/glassfish/bin

  10. Issue the following command:
    # ./asadmin start-domain domain1

  11. Using a browser, verify the server is running by accessing http://AgentHost.domain:8090.
    You should get a Server Running page.

    I'm referring to this server as AgentHost because it will host the GlassFish agent.

  12. Login to GlassFish as admin (PW: adminadmin) by accessing the console at https://AgentHost.domain:4848.

To Create an Agent Password File

The location of this file is required and will be prompted for by the agent installer.
  1. Create an ACSII text file for the agent profile. The following is an example
    of such a text file: /pa3gf/gfagentpw

    I combined steps one and two by creating the file (gfagentpw) and adding the password (agent123) in a single command as follows (issued from the root directory):

    # echo agent123>>pa3gf/gfagentpw

  2. Using a text editor, enter the appropriate password in clear text on the first line of the file.
  3. Secure the  password file appropriately, depending on the requirements of your deployment.

To Create the Agent Profile in the OpenSSO Console

When I create the agent, I won't choose the option for the agent installer to create the agent profile for me automatically (agentadmin --custom-install), so I need to do this task myself.
  1. Using a browser, log in to OpenSSO Console as amAdmin.
    For me, I'm using the OpenSSO instance that I installed on Tomcat 6.0, which  I discussed in the following entry: http://blogs.sun.com/JohnD/entry/how_to_install_tomcat_6.
    In that entry, I refer to that machine as follows: http://TomcatHost.example.com:8080/
    Since the Tomcat host is now also the OpenSSO host, I'll be referring to it as OpenssoHost.
    The following two examples demonstrate potential formatting for the URL of the login page:
    • http://OpenssoHost.example.com:8080/opensso
    • http://FamHost.example.com:8080/fam
  2. Select Access Control tab>realmname (such as opensso)>Agents>J2EE
  3. In the Agent section, click New.
  4. Fill in the fields as appropriate:

    Field
    Example Value
    Name
    glassfishagent
    Password
    agent123
    Re-enter Password
    agent123
    Configuration
    Centralized
    Server URL http://OpenssoHost.example.com:8080/opensso
    Agent URL
    http://AgentHost.example.com:8090/agentapp
About the fields: Note the name and password you enter since you will need this info again. The password must be the same as the password in the agent password file. A centralized configuration is a key aspect to Policy Agent 3.0 and allows you to control the agent from the OpenSSO Console. For the Server URL, enter the info for the OpenSSO server. In this case, I'm using Tomcat 6.0, which  I discussed in the following entry: http://blogs.sun.com/JohnD/entry/how_to_install_tomcat_6. For the Agent URL, enter the info for the GlassFish server that you just installed with the port number for domain1, which for my scenario was port 8090.

To Install GlassFish Agent (appserver_v9_agent)

This task describes how to install the GlassFish agent, appserver_v9_agent on the GlassFish server.
  1. Download the Sun Java System Application Server 9 agent to the directory in which you want to unpack the agent binaries.

    I'm using nightly builds instead of "Stable Agent Builds," such as builds tested with OpenSSO V1 Build 4.5. For the agent, I wanted to use a June 29 build to match the date of the OpenSSO build I installed on Tomcat. However, that download was not working for me for some reason. So, instead, I got the June 30 download of this agent, at this location:
    http://download.java.net/general/opensso/nightly/20080630.1/j2eeagents/
    Anyway, you can download a build with which you're comfortable. Look here:
    https://opensso.dev.java.net/public/use/index.html

    By the way, I'm downloading the agent in to the following directory: /pa3gf

  2. Unzip the zip file.
    For example:
    # unzip appserver_v9_agent_3.zip

  3. Stop the GlassFish domain with the following command (from the root directory):
    # glassfish/bin/asadmin stop-domain domain1
    If you don't shutdown the domain before creating the agent, it will modify files.

  4. Change to the directory that contains the agentadmin utility. For example:
    # cd /pa3gf/
    j2ee_agents/appserver_v9_agent/bin

  5. Set the permissions for the agentadmin utility. For example:
    # chmod 755 agentadmin

  6. Start the agent installation. For example:
    # ./agentadmin --install

    I used ./agentadmin --install instead of ./agentadmin --custom-install.

  7. Complete the installation as described in the substeps that follow:
    1. Continually press enter to accept the various parts of the license agreement.

    2. Enter yes to accept the complete agreement.
      You must then answer the agent installer prompts. Many of your responses will be responses you provided when you created the agent profile.

    3. Respond to the following prompt:
      Enter the Application Server Config Directory Path
      [/opt/SUNWappserver/domains/domain1/config]:

      I responded with the following:
      /pa3gf/glassfish/domains/domain1/config

    4. Respond to the following prompt:
      Federated Access Manager URL:

      I responded with the name of the Tomcat server, on which I installed OpenSSO:
      http://OpenssoHost.example.com:8080/opensso

    5. Respond to the following prompt:
      Agent URL:

      I responded with the name of the GlassFish instance including the port for domain1:
      http://AgentHost.example.com:8090/agentapp

    6. Respond to the following prompt:
      Enter the Agent Profile name:

      I responded with the following:
      glassfishagent

    7. Respond to the following prompt:
      Enter the path to the password file:

      I responded with the following:
      /pa3gf/gfagentpw

      Then, a summary of your responses is displayed as such:

      -----------------------------------------------
      SUMMARY OF YOUR RESPONSES
      -----------------------------------------------
      Application Server Config Directory :
      /pa3gf/glassfish/domains/domain1/config
      Federated Access Manager URL :
      http://OpenssoHost.example.com:8080/opensso/
      Agent URL : http://AgentHost.example.com:8090/agentapp
      Agent Profile name : glassfishagent
      Agent Profile Password file name : /pa3gf/gfagentpw

      Verify your settings above and decide from the choices below.
      1. Continue with Installation
      2. Back to the last interaction
      3. Start Over
      4. Exit

    8. Respond to the following prompt by providing one of the options listed at the end of summary.
      Please make your selection [1}

      I responded with the following:
      1

To Deploy Applications on GlassFish

There are a few ways to deploy applications on GlassFish. This task shows the method I used. I deployed two applications at the same time. The agentapp.war file is used for housekeeping tasks. The agentsample.ear file is the J2EE agent sample application, which gives you the opportunity to practice protecting an application with the agent. Therefore, you can create policies and perform other tasks that control access to the application.  I plan to add a blog entry in the future about using the sample application, so I've decided to deploy it now.

  1. Copy the agentapp.war file and the agentsample.ear file to the GlassFish autodeploy directory. For example, from the root directory, I issued the following commands:

    # cp /pa3gf/j2ee_agents/appserver_v9_agent/etc/agentapp.war /pa3gf/glassfish/domains/domain1/autodeploy

    # cp /pa3gf/j2ee_agents/appserver_v9_agent/sampleapp/dist/agentsample.ear  /pa3gf/glassfish/domains/domain1/autodeployGlassfish Console: Left Pane

  2. Start the GlassFish server with the appropriate command. For example I issued the following command (from the root directory):
    # pa3gf/glassfish/bin/asadmin start-domain domain1

    When the domain starts, the two applications will deploy.

  3. Verify that the Application Server is running and the two applications were deployed as described in the substeps that follow:
    1. Using a browser, access http://GlassFishHost.example.com:4848
    2. Log in with the proper credentials. For example:
      User name: admin
      Password: adminadmin

  4. In the left pane, click the arrows next to the following labels:
    • Enterprise Applications
    • Web Applications

    You should see the two applications you just deployed, the agentsample and the agentapp, as illustrated in the image to the right.

    Now things are set for you to experiment with the sample application, which is what I'd like to get into soon myself. Hopefully, I'll be blogging about my travails with the sample application soon.

    As I mentioned at the beginning of this entry, Sean Brydon has written up quite a bit about the J2EE sample applicaton, the quick example is here and the detailed example is here.
About

What does this box do?

Search

Archives
« July 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
  
       
Today